Like $listSearchIndexes, access to $listExtensions should be restricted to the read, dbAdmin, and clusterAdmin roles as defined in builtin_roles.yml. These roles should contain a new AccessType called listExtensions and implement a PrivilegeVector using ResourcePattern::forClusterResource.